Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Current »

OpenLMIS optionally uses SSL and an accompanying SSL certificate. Within the context of SELV, this file is currently a wildcard certificate associated with the *.villagereach.org domain (and set of subdomains).  This certificate will eventually expire, after which it will need to be replaced.  There are a number of places it would have to be replaced:

  1. selv.villagereach.org
  2. selv-training.villagereach.org
  3. Putty instances used for the SELV data edit tool.

Updating the selv.villagereach.org 

Original Instructions from Mike:

The process for updating the SELV certificate is straight-forward yet tedious.

Below is the contents of the readme.txt notes created when it was updated last:

This SSL configuration is setup for the gandi.net certification provider.

The certificate is a SHA2 certificate which needs a chain file created that contains both the intermediate certificate and the cross-signed certificate into a single bundle stored in a PEM file.

The file villagereach-chain.pem is simply the GandiStandardSSLCA2.pem concatinated with the USERTrustRSAAddTrustCA.pem file. NOTE: These two files are this directory, but only for reference. Their contents are duplicated in the villagereach-chain.pem file.

Then, in the Apache configuration file, you must use the SSLCertificateChainFile directive to specify the chain file.

See: http://wiki.gandi.net/en/ssl/intermediate#sha2_intermediate_certificates

These keys are copied to /etc/httpd/conf.d/ssl on selv.villagereach.org.  The appropriate configuration file is int he conf.d directory.

New Instructions from Ben:

The original instructions above aren't wrong per-se, and they're definitely worth referencing. They purport to be "tedious," though, and indeed seem more convoluted than need be. The following instructions are thus intended as an alternative.

  1. Purchase a new SSL certificate. This can be done from a variety of places, and we chose gandi.net. Whomever you buy the certificate from should provide detailed instructions. They'll likely tell you how to generate a CSR (Certificate Signing Request) file using a tool like OpenSSL. After creating it, you upload the CSR file to their site as a formal means of requesting a new SSL certificate. 

  2. It may take several hours for your certificate provider to prepare a new certificate. When they notify you that it's ready, simply download it.

  3. Update OpenLMIS with the cert downloaded in step 2. This can be done via Chef, Puppet, or any other means. The manual-method is the most fundamental, however, and is thus what's described here. Specifically, assuming a CentOS host, navigate to /etc/httpd/conf.d/ssl. Look for a file called "openlmis.crt," or something similar. Rename your new .crt file such that it matches the original one's name, and replace old one with the new one within /etc/httpd/conf.d/ssl.

  4. Restart Apache by running:
    /sbin/service httpd restart && sleep 1
    /sbin/service httpd reload && sleep 1

NOTE: Steps 3 and 4 may be different for our Docker-based installations of OpenLMIS, which exclusively use Tomcat. 

Updating selv-training.villagereach.org

selv-training is hosted in the docker instance.  The same certificates created above need to be configured within the appropriate configuration there.

These keys are copied to /etc/httpd/conf.d/ssl on docker instance.  The appropriate configuration file is in the selv-training conf file in the conf.d directory.

 

 

  • No labels